Everything’s Insecure, And We Need To Fix It

This post is also available in: עברית (Hebrew)

Electronic warfare, espionage, and hacking are now a reality of everyday life. While most of us go about without giving a second thought to preventing the next disastrous attack, some people never sleep because of it. The MIT Technology Review recently spoke on this topic with Greg Shannon, former chief scientist at Carnegie Mellon University’s Software Engineering Institute and current assistant director for cybersecurity strategy at the White House Office of Science and Technology Policy.

While billions of dollars are now spent on new security technologies, breaches of massive magnitude are a frequent occurrence. The reason for that is “that the incentives to wage malicious cyber activities keep skyrocketing,” Shannon says. Thing is, “threats were always there, but it was okay to use patches. Today what’s available online, and its value, keep increasing exponentially—and so do the incentives to exploit systems and steal data.”

The problem comes down to efficiency and efficacy, Shannon says. You can apply patches as much as you like, but “at the end of the day this doesn’t achieve much, because it doesn’t create a general, systemic solution. It’s not efficient.”

What’s needed is a complete rethink and restructure of how we build software and develop security systems. “This requires rigor in how the billions of lines of code that run our networked infrastructure are actually written and updated,” Shannon says.

While places like NASA have rigorous procedures for writing bug-free code, most companies simply lack the incentive to do so. The costs, to their mind, outweigh the benefits. The solution is “to consider incentives for everybody to write better code,” on the policy side, with “ liability, regulations, or market mechanisms.”

Shannon highlight the Internet of Things as the biggest opportunity to shape a more secure future.

“Networked devices in cars and homes, and wearable devices, could introduce a multitude of new attack vectors, but if we get things right with these devices and cloud-based technologies, we can make sure the next generation of technology will have security built in.”

Still, it will take some years of vigorous effort to get at least the critical components to the level of security needed. If we start now, pervasive good security practices could happen in 20 years or more. But we have to start now, because the stakes are rising.